Fortinet white logo
Fortinet white logo

Administration Guide

Databases

Databases

The antivirus scanning engine uses a virus signatures database to record the unique attributes of each infection. The antivirus scan searches for these signatures and when one is discovered, the FortiGate determines if the file is infected and takes action.

All FortiGates have the normal antivirus signature database. Some models have additional databases that you can use. The database you use depends on your network and security needs, and on your FortiGate model.

The extended virus definitions database is the default setting and provides comprehensive antivirus protection. Entry-level and some mid-range FortiGates cannot support the extreme database. The FortiGate 300D is the lowest model that supports the extreme database. All VMs support the extreme database. The use-extreme-db setting is only available on models that support the extreme database.

Extended

This is the default setting. This database includes currently spreading viruses, as determined by the FortiGuard Global Security Research Team, plus recent viruses that are no longer active. These viruses may have been spreading within the last year but have since nearly or completely disappeared.

Extreme

This includes the extended database, plus a large collection of zoo viruses. These are viruses that have not spread in a long time and are largely dormant. Some zoo viruses might rely on operating systems and hardware that are no longer widely used.

To change the antivirus database:
config antivirus settings
    set use-extreme-db {enable | disable}
end

FortiSandbox database

The Use FortiSandbox database setting in the Antivirus profile enables the FortiGate’s antivirus engine to receive the latest malware signatures discovered by FortiSandbox that is stored inside FortiSandbox’s malware database. By enabling Use FortiSandbox database, FortiGate uses these signatures from the malware database along with its existing antivirus signature database for scanning.The antivirus engine scan searches for the malware signature database and antivirus signature database in tandem to check for a match. Once a signature match is discovered, the FortiGate determines if the file is infected and takes action.

The malware signature database supplements the existing antivirus signature database on the FortiGate. This setting is useful if a FortiSandbox solution (either FortiGate Sandbox Cloud, FortiSandbox Cloud, or the FortiSandbox appliance) is deployed.

If you have multiple FortiGates deployed and FortiSandbox is in use, if Use FortiSandbox database is enabled in the Antivirus profile, it will enable all FortiGates to download the malware signature database from your FortiSandbox. This can prevent zero-day attacks discovered by the FortiSandbox. FortiSandbox can also be configured to submit its malware signature database with Fortinet Inc. Community by enabling the required Contribute settings under your scan profile. See Scan Profile Advanced Tab in the FortiSandbox Administration Guide for information on the scan profile.

FortiGuard labs later release the required submitted signatures in the form of Antivirus updates which can be downloaded by the FortiGates worldwide through FortiGuard updates. See Configuring FortiGuard updates.

To enable using the FortiSandbox database in an antivirus profile in the GUI:
  1. Go to Security Profile > AntiVirus.

  2. Select the default profile and click Edit.

  3. Under the APT Protection Options, enable Use FortiSandbox database.

  4. Click OK to save the changes.

  5. Apply this default profile to the respective firewall policy.

To enable using the FortiSandbox database in an antivirus profile in the CLI:
config antivirus profile
    edit “default”
        set analytics-db enable
    next
end
Note

It is best practice to keep the analytics-db enabled.

To use the antivirus profile in a firewall policy:
config firewall policy
    edit 1
        set name "policyid-1"
        set srcintf "lan"
        set dstintf "wan"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set ssl-ssh-profile "certificate-inspection"
        set av-profile "default"
        set nat enable
    next
end

Once the Antivirus profile is configured to use the FortiSandbox database and submit files to FortiSandbox, and the antivirus profile is used in a firewall policy, the sharing of malware database from the FortiSandbox to the FortiGate needs to be configured. For information on submitting files to FortiSandbox, see Using FortiSandbox post-transfer scanning with antivirus.

The configuration depends on the type of FortiSandbox in use. The table below shows key differences in configuration:

Type of FortiSandbox

Malware database sharing with the FortiGate

FortiSandbox Appliance/FortiSandbox VM (On-Premise) Enabled using the Global network. See Global Network in the FortiSandbox Administration Guide.
FortiSandbox Cloud (PaaS) Enabled by default.
FortiGate Cloud Sandbox (SaaS) Enabled by default.

Databases

Databases

The antivirus scanning engine uses a virus signatures database to record the unique attributes of each infection. The antivirus scan searches for these signatures and when one is discovered, the FortiGate determines if the file is infected and takes action.

All FortiGates have the normal antivirus signature database. Some models have additional databases that you can use. The database you use depends on your network and security needs, and on your FortiGate model.

The extended virus definitions database is the default setting and provides comprehensive antivirus protection. Entry-level and some mid-range FortiGates cannot support the extreme database. The FortiGate 300D is the lowest model that supports the extreme database. All VMs support the extreme database. The use-extreme-db setting is only available on models that support the extreme database.

Extended

This is the default setting. This database includes currently spreading viruses, as determined by the FortiGuard Global Security Research Team, plus recent viruses that are no longer active. These viruses may have been spreading within the last year but have since nearly or completely disappeared.

Extreme

This includes the extended database, plus a large collection of zoo viruses. These are viruses that have not spread in a long time and are largely dormant. Some zoo viruses might rely on operating systems and hardware that are no longer widely used.

To change the antivirus database:
config antivirus settings
    set use-extreme-db {enable | disable}
end

FortiSandbox database

The Use FortiSandbox database setting in the Antivirus profile enables the FortiGate’s antivirus engine to receive the latest malware signatures discovered by FortiSandbox that is stored inside FortiSandbox’s malware database. By enabling Use FortiSandbox database, FortiGate uses these signatures from the malware database along with its existing antivirus signature database for scanning.The antivirus engine scan searches for the malware signature database and antivirus signature database in tandem to check for a match. Once a signature match is discovered, the FortiGate determines if the file is infected and takes action.

The malware signature database supplements the existing antivirus signature database on the FortiGate. This setting is useful if a FortiSandbox solution (either FortiGate Sandbox Cloud, FortiSandbox Cloud, or the FortiSandbox appliance) is deployed.

If you have multiple FortiGates deployed and FortiSandbox is in use, if Use FortiSandbox database is enabled in the Antivirus profile, it will enable all FortiGates to download the malware signature database from your FortiSandbox. This can prevent zero-day attacks discovered by the FortiSandbox. FortiSandbox can also be configured to submit its malware signature database with Fortinet Inc. Community by enabling the required Contribute settings under your scan profile. See Scan Profile Advanced Tab in the FortiSandbox Administration Guide for information on the scan profile.

FortiGuard labs later release the required submitted signatures in the form of Antivirus updates which can be downloaded by the FortiGates worldwide through FortiGuard updates. See Configuring FortiGuard updates.

To enable using the FortiSandbox database in an antivirus profile in the GUI:
  1. Go to Security Profile > AntiVirus.

  2. Select the default profile and click Edit.

  3. Under the APT Protection Options, enable Use FortiSandbox database.

  4. Click OK to save the changes.

  5. Apply this default profile to the respective firewall policy.

To enable using the FortiSandbox database in an antivirus profile in the CLI:
config antivirus profile
    edit “default”
        set analytics-db enable
    next
end
Note

It is best practice to keep the analytics-db enabled.

To use the antivirus profile in a firewall policy:
config firewall policy
    edit 1
        set name "policyid-1"
        set srcintf "lan"
        set dstintf "wan"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set ssl-ssh-profile "certificate-inspection"
        set av-profile "default"
        set nat enable
    next
end

Once the Antivirus profile is configured to use the FortiSandbox database and submit files to FortiSandbox, and the antivirus profile is used in a firewall policy, the sharing of malware database from the FortiSandbox to the FortiGate needs to be configured. For information on submitting files to FortiSandbox, see Using FortiSandbox post-transfer scanning with antivirus.

The configuration depends on the type of FortiSandbox in use. The table below shows key differences in configuration:

Type of FortiSandbox

Malware database sharing with the FortiGate

FortiSandbox Appliance/FortiSandbox VM (On-Premise) Enabled using the Global network. See Global Network in the FortiSandbox Administration Guide.
FortiSandbox Cloud (PaaS) Enabled by default.
FortiGate Cloud Sandbox (SaaS) Enabled by default.